53a6f199fe
## Description ref: #10968 I would like to have some eyes to: - Make sure the state machine vulnerabiities are indeed bugs that should be fixed: - [x] https://github.com/cosmos/cosmos-sdk/pull/11559#discussion_r846091449 - [x] https://github.com/cosmos/cosmos-sdk/pull/11559#discussion_r846093388 - [x] https://github.com/cosmos/cosmos-sdk/pull/11559#discussion_r846096172 - [x] https://github.com/cosmos/cosmos-sdk/pull/11559#discussion_r849306060 - Some open questions: - [x] https://github.com/cosmos/cosmos-sdk/pull/11559#discussion_r846090420 - [x] https://github.com/cosmos/cosmos-sdk/pull/11559#discussion_r846094966 - [x] https://github.com/cosmos/cosmos-sdk/pull/11559#discussion_r851193426 Other code changes are small: some small refactors to make code clearer, less panics, better error messages... depends on: - [x] #11560 --- ### Author Checklist *All items are required. Please add a note to the item if the item is not applicable and please add links to any relevant follow up issues.* I have... - [ ] included the correct [type prefix](https://github.com/commitizen/conventional-commit-types/blob/v3.0.0/index.json) in the PR title - [ ] added `!` to the type prefix if API or client breaking change - [ ] targeted the correct branch (see [PR Targeting](https://github.com/cosmos/cosmos-sdk/blob/master/CONTRIBUTING.md#pr-targeting)) - [ ] provided a link to the relevant issue or specification - [ ] followed the guidelines for [building modules](https://github.com/cosmos/cosmos-sdk/blob/master/docs/building-modules) - [ ] included the necessary unit and integration [tests](https://github.com/cosmos/cosmos-sdk/blob/master/CONTRIBUTING.md#testing) - [ ] added a changelog entry to `CHANGELOG.md` - [ ] included comments for [documenting Go code](https://blog.golang.org/godoc) - [ ] updated the relevant documentation or specification - [ ] reviewed "Files changed" and left comments if necessary - [ ] confirmed all CI checks have passed ### Reviewers Checklist *All items are required. Please add a note if the item is not applicable and please add your handle next to the items reviewed if you only reviewed selected items.* I have... - [ ] confirmed the correct [type prefix](https://github.com/commitizen/conventional-commit-types/blob/v3.0.0/index.json) in the PR title - [ ] confirmed `!` in the type prefix if API or client breaking change - [ ] confirmed all author checklist items have been addressed - [ ] reviewed state machine logic - [ ] reviewed API design and naming - [ ] reviewed documentation is accurate - [ ] reviewed tests and test coverage - [ ] manually tested (if applicable)
70 lines
2.6 KiB
Go
70 lines
2.6 KiB
Go
package keeper
|
|
|
|
import (
|
|
"fmt"
|
|
|
|
sdk "github.com/cosmos/cosmos-sdk/types"
|
|
"github.com/cosmos/cosmos-sdk/types/errors"
|
|
authmiddleware "github.com/cosmos/cosmos-sdk/x/auth/middleware"
|
|
"github.com/cosmos/cosmos-sdk/x/group"
|
|
grouperrors "github.com/cosmos/cosmos-sdk/x/group/errors"
|
|
)
|
|
|
|
// doExecuteMsgs routes the messages to the registered handlers. Messages are limited to those that require no authZ or
|
|
// by the account of group policy only. Otherwise this gives access to other peoples accounts as the sdk middlewares are bypassed
|
|
func (s Keeper) doExecuteMsgs(ctx sdk.Context, router *authmiddleware.MsgServiceRouter, proposal group.Proposal, groupPolicyAcc sdk.AccAddress) ([]sdk.Result, error) {
|
|
// Ensure it's not too late to execute the messages.
|
|
// After https://github.com/cosmos/cosmos-sdk/issues/11245, proposals should
|
|
// be pruned automatically, so this function should not even be called, as
|
|
// the proposal doesn't exist in state. For sanity check, we can still keep
|
|
// this simple and cheap check.
|
|
expiryDate := proposal.VotingPeriodEnd.Add(s.config.MaxExecutionPeriod)
|
|
if expiryDate.Before(ctx.BlockTime()) {
|
|
return nil, grouperrors.ErrExpired.Wrapf("proposal expired on %s", expiryDate)
|
|
}
|
|
|
|
msgs, err := proposal.GetMsgs()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
results := make([]sdk.Result, len(msgs))
|
|
if err := ensureMsgAuthZ(msgs, groupPolicyAcc); err != nil {
|
|
return nil, err
|
|
}
|
|
for i, msg := range msgs {
|
|
handler := s.router.Handler(msg)
|
|
if handler == nil {
|
|
return nil, errors.Wrapf(grouperrors.ErrInvalid, "no message handler found for %q", sdk.MsgTypeURL(msg))
|
|
}
|
|
r, err := handler(ctx, msg)
|
|
if err != nil {
|
|
return nil, errors.Wrapf(err, "message %q at position %d", msg, i)
|
|
}
|
|
// Handler should always return non-nil sdk.Result.
|
|
if r == nil {
|
|
return nil, fmt.Errorf("got nil sdk.Result for message %q at position %d", msg, i)
|
|
}
|
|
|
|
results[i] = *r
|
|
}
|
|
return results, nil
|
|
}
|
|
|
|
// ensureMsgAuthZ checks that if a message requires signers that all of them
|
|
// are equal to the given account address of group policy.
|
|
func ensureMsgAuthZ(msgs []sdk.Msg, groupPolicyAcc sdk.AccAddress) error {
|
|
for i := range msgs {
|
|
// In practice, GetSigners() should return a non-empty array without
|
|
// duplicates, so the code below is equivalent to:
|
|
// `msgs[i].GetSigners()[0] == groupPolicyAcc`
|
|
// but we prefer to loop through all GetSigners just to be sure.
|
|
for _, acct := range msgs[i].GetSigners() {
|
|
if !groupPolicyAcc.Equals(acct) {
|
|
return errors.Wrapf(errors.ErrUnauthorized, "msg does not have group policy authorization; expected %s, got %s", groupPolicyAcc.String(), acct.String())
|
|
}
|
|
}
|
|
}
|
|
return nil
|
|
}
|